SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #19

March 7, 2017

Tomorrow (Wednesday, March 8) is the final day to use the early bird discount code -"EarlyBird17" - to save on any of the 39 four-to-six day courses at SANS 2017 in Orlando next month. Three completely new courses help boost productivity and effectiveness in advanced security teams: FOR572: Advanced Network Forensics and Analysis; SEC573: Automating Information Security with Python; and SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques. Many attendees bring their families down for the weekend to make their learning opportunity into a fun, family, Disney event. More at https://www.sans.org/event/sans-2017

PESCATORE'S FIRST LOOK: CA AQUIRES VERACODE

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER***************************Sponsored By Malwarebytes*******************
Cyberattacks and cybersecurity, or a lack thereof, grabbed media attention on both the corporate and consumer sides, even becoming a key issue in the US presidential election. In this respect, you could say that everyone, even those who have never logged on, was affected by cyberattacks and hacking in 2016. Check out this research paper." http://www.sans.org/info/192527
***************************************************************************

TOP OF THE NEWS

According to the Final Report of the Defense Science Board Task Force on Cyber Deterrence, the US military lacks the cyber capabilities to defend against potential attacks against financial systems, telecommunications systems, and other elements of critical infrastructure launched by Russia or China. Furthermore, the US military's dependence on IT makes it vulnerable to attacks that could diminish its capabilities to respond to such attacks. The task force recommends that the Pentagon develop a second-strike capability that is cyber-resilient.
[Editor Comments]
[Murray] We need standards and metrics for survivability and resilience. 'If we cannot measure it, we cannot recognize its presence or absence," much less improve it. Standards and metrics are what we have NIST for. Perhaps this was more obvious when the name was National Bureau of Standards.
Read more in:
CyberScoop: Report: U.S. military can't guarantee retaliation against major cyber attack https://www.cyberscoop.com/defense-science-board-cyber-deterrence-task-force/?category_news=technology

Electric Grid Resilience Under Review
(March 1, 2017)

Attacks against supervisory control and data acquisition (SCADA) systems are becoming increasingly sophisticated and targeted. Attacks often begin by gaining purchase within a system and conducting reconnaissance to determine the structure of the network. From there, they often move throughout the system to establish persistence and eventually control of the targeted system. It is likely that many systems have already been compromised. Data analytics and machine learning could help protect the grid from attackers by detecting intrusion attempts.
[Editor Comments]
[Paller] One of the most comprehensive and well-reported articles on the reality of cybersecurity on the electric grid.
[Murray] One may never wake a "sleeper" attack but one certainly wants the capability. Given that active attacks often take weeks to months to discover, sleeper attacks might well never be discovered If one is not diligent. The use of content control tools such as Tripwire can be useful in limiting the size of the space in which they can hide.
Read more in:
AFCEA: Girding the Grid for Cyberattacks http://www.afcea.org/content/?q=Article-girding-grid-cyber-attacks

THE REST OF THE WEEK'S NEWS

The non-profit, product-testing organization Consumer Reports (CR) will start including evaluations of products' online security and privacy features in its product reviews. CR is also part of a collective that is creating a standard to guide the development of digital products. "The goal [of the Digital Standard] is to help consumers understand which digital products do the most to protect their privacy and security, and give them the most control over their personal data."
[Editor Comments]
[Pescatore] Consumer Reports has been a strong advocate of car safety in the past and anything that gets consumers to pay more attention to the safety of software and home products is a good thing, if done well. Their draft "Digital Standard" is a good starting point - I especially like that it starts with "The product was built with effectively implemented safety features." and looks for evidence of static analysis and fuzzing of all software.
[Murray] I agree with John Pescatore. I would like for the broad standard to be 1) "does what, and only what, its label says that it does (minimum attack surface) and 2) require a label that instructs the buyer in its safe use (application and environment, e.g. whether it is intended for direct connection to public (as opposed to enterprise or SOHO) networks.) Products are never "secure," only "securable."
[Northcutt] CITL could actually move the needle. Consumer Reports is an established brand with a long history of balanced product evaluation. In one sense I sighed when I read the digital standard.org, I am new standards weary. However I encourage you to check out the web page. It is very pragmatic. I just hope they do not succumb to becoming bloatware over the next few years.
Read more in:
Consumer Reports: Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Securityhttp://www.consumerreports.org/privacy/consumer-reports-to-begin-evaluating-products-services-for-privacy-and-data-security/
The Hill: Consumer Reports to test products for privacy, data securityhttp://thehill.com/policy/cybersecurity/322463-consumer-reports-to-test-products-for-privacy-data-security
CNET: Consumer Reports to factor cybersecurity into reviews https://www.cnet.com/news/consumer-reports-cybersecurity-privacy-product-reviews/
The Digital Standard: The Digital Standardhttps://www.thedigitalstandard.org/

A former Columbia Sportswear employee allegedly accessed the company's network hundreds of times after leaving to work for Denali Advanced Integration, a tech consulting company that was one of Columbia's business partners. According to a complaint filed in a US federal court in Oregon, before Michael Leeper left the company, he allegedly created a backdoor that allowed him remote access to Columbia's network. Leeper allegedly stole sensitive corporate information by accessing the network hundreds of times over a two-year period. The stolen information was allegedly used "in furtherance of Denali's desire to profit from its business relationship with Columbia."
Read more in:
The Register: Ex penetrated us almost 700 times through secret backdoor, biz alleges http://www.theregister.co.uk/2017/03/06/columbia_sportswear_versus_denali/
RegMedia: Complaint: Columbia Sportswear Company v. 3MD Inc. dba Denali Advanced Integration and Michael Leeper (PDF) https://regmedia.co.uk/2017/03/06/columbia_sportswear_filing.pdf

Legislation introduced in the US House of Representatives would allow companies that have been hit with cyberattacks to break into networks used by the attackers, with the caveat that they do no harm, but use the access only to stop the attack or gather information about the identity of the attackers to share with law enforcement. Such activity is currently prohibited under the Computer Fraud and Abuse Act. The Active Cyber Defense Certainty Act would not protect companies from liability if they destroy data or otherwise cause harm.
[Editor Comments]
[Murray and Neely] Bad public policy. Law should not encourage or license disorderly behavior. Amateurs engaging in such activity might corrupt evidence, alert perpetrators, or cause other damage.
[Williams] The part about not shielding you from liability is the most significant. There is often a big difference between intent and impact. Every penetration tester will also tell you that they are blamed for every outage from the time they start the engagement until they are done. Attackers rarely attack a network directly from their home network range. They are much more likely to use a compromised network of no intelligence value (a hop point). In the hacking back space, if this passes, expect to see lawsuits against organizations who "hack back" to an attacker only to find out they have targeted another victim (victimizing them again).
Read more in:
NextGov: House Bill Would Gove Companies Leeway to Hack Back http://www.nextgov.com/cybersecurity/2017/03/house-bill-would-give-companies-some-leeway-hack-back/135892/?oref=ng-channeltopstoryds

State Cyber Resiliency Act Introduced in US House and Senate
(March 2, 2017)

US legislators have introduced a bill that aims to help increase state and local governments' access to cybersecurity resources. Most state and local governments generally allocate less than two percent of their budgets for cybersecurity, while half of the governments experienced at least six breaches over a two-year period. The State Cyber Resiliency Act would establish a grant program to help state and local government develop cyber resiliency plans.
Read more in:
FCW: Grant program would support state, local cybersecurity https://fcw.com/articles/2017/03/02/state-cyber-bill-rockwell.aspx
PESCATORE'S FIRST LOOK: CA AQUIRES VERACODE
The demand for application security testing has grown steadily over the past few years with Gartner projecting a 14% average growth rate through 2020, almost twice as high as the average growth of the revenue for cybersecurity overall. Veracode was growing faster than average, more than doubling its revenue 2014-2016. CA acquired Rally Software in 2015, increasing its focus on DevOps and application development, monitoring and governance. In theory, application security testing is a good fit in that mix but in practice most successful integration of app security testing into the development front end requires a strong CISO push from the back end - getting it in use as part of QA/production readiness review and then moving upstream. For existing Veracode customers, CA does not have a strong track record when acquiring security vendors and support and product quality should be closely monitored - while Veracode's products and services have been very strong, there are several alternatives. For security programs that have been unable to get app security testing funded and implemented, if you are a CA shop, this should provide an opportunity to do so.
URL: http://www.bizjournals.com/boston/news/2017/03/06/ca-technologies-to-pay-614m-for-burlington.html